You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

If you want to secure Aspire access to the Administration UI using the ConfigFile method, the best and most secure way is by encrypting the passwords. Complete the following steps.

  1. Run bin/encryptPassword. This script will create passwords of the "administrator" and "developer" users to be encrypted inside the settings.xml file when you use the optional "username" parameter. The password you pass to the script for encryption will also be also validated against defined policy rules (see the explanation later in this article)

  2. Enable the ConfigFile authentication on the settings.xml file:

    settings.xml
    <authentication>
  <type>ConfigFile</type>
</authentication>
  3. Start Aspire and use the "administrator" or "developer" users to log in using the recently added passwords. When starting Aspire the passwords will also be validated against defined policy rules.

How to configure UI password policy

There are 3 files in config/security folder where the UI password policy is defined:

  • passwordPolicy.xml
  • passwordDictionary
  • passwordHistory.xml

Those files have default content from installation process.

passwordPolicy.xml

The file defines password policy rules for UI passwords. It also defines maximum password age after which the password is no longer valid.

<?xml version="1.0" encoding="UTF-8"?>
<passwordPolicy>
  <rules>
    <!-- password must be between min and max chars long -->
    <lengthRule>
      <minimum>8</minimum>
      <maximum>15</maximum>
    </lengthRule>
    <!-- don't allow whitespace -->
    <whitespaceRule/>
    <!-- Control allowed characters -->
    <characterCharacteristicsRule>
      <!-- require at least 1 upper case char -->
      <uppercase>1</uppercase>
      <!-- require at least 1 lower case char -->
      <lowercase>1</lowercase>
      <!-- require at least 1 digit in passwords -->
      <digit>1</digit>
      <!-- require at least 1 non-alphanumeric char -->
      <nonalphanumeric>1</nonalphanumeric>
      <!-- require at least x of the previous rules be met -->
      <numberOfCharacteristics>3</numberOfCharacteristics>
    </characterCharacteristicsRule>
    <!-- don't allow alphabetical sequences -->
    <alphabeticalSequenceRule/>
    <!-- don't allow numerical sequences -->
    <numericalSequenceRule/>
    <!-- don't allow qwerty sequences -->
    <qwertySequenceRule/>
    <!-- don't allow 4 repeat characters -->
    <repeatCharacterRule/>
    <!-- do not allow matching against history -->
    <historyRule/>
    <!-- do not allow matching against Dictionary -->
    <dictionaryRule>
      <wordLength>4</wordLength>
      <matchBackwards>true</matchBackwards>
    </dictionaryRule>
  </rules>

  <!-- uncomment if you do not want default values -->
  <!--passwordHistory>
    <historyFile>config/security/passwordHistory.xml</historyFile>
  </passwordHistory-->
  <!--dictionary>
    <dictionaryFile>config/security/passwordDictionary</dictionaryFile>
  </dictionary-->

  <!-- maximum password age - The suffix of the value should be one of ms,s,m,h,d  -->
  <maximumPasswordAge>5000d</maximumPasswordAge>
</passwordPolicy>





  • No labels